Ongoing Linux/Solaris Compromise Epidemic 366
An anonymous reader writes to point out that Stanford's Information Technology Systems and Services "has written a summary of a series of compromises that have been happening at universities, research institutions, and high performance computing centers, for the last month or more. The attackers are using known vulnerabilities in Linux and Solaris, along with compromised user accounts, to gain access and control of systems, from standalone servers to HPC clusters ... (the attacks are still ongoing)."
Nothing to worry about (Score:5, Funny)
DAMN IT MITNICK! (Score:2, Funny)
Re:Nothing to worry about (Score:3, Informative)
Uhm, I think it was a joke ..
Re:Nothing to worry about (Score:4, Insightful)
When Windows is being compromised, that's cause for Microsoft to ignore, deny, and lie about the problem, and if that fails, spend a few billion dollars on PR. When Linux is being compromised, that's for knowledgeable programmers to study, work on, and fix the vulnerability.
Check out a good substitute for all your Linux (Score:3, Funny)
Here [microsoft.com] - those guys make a kernel, kickass GUI environment (faster than GNOME and easier to use than KDE) plus some office word editors and educational stuff like encyclopedias and maps.
I'm just glad... (Score:4, Funny)
aQazaQa
Win 95 to the rescue! (Score:5, Funny)
Security through boredom, my new secret weapon take th^454&*%2^$^^^B
Windows is not the only vulnerable OS (Score:3, Insightful)
Assuming that Unix/Linux is invulnerable to security holes is deadly. Though the OS may have more security features and "more eyes" on the code than closed source operating systems, we must not rest on our laurels watching Windows implode while our own house is burning.
Re:Windows is not the only vulnerable OS (Score:4, Insightful)
All the vulns mentioned have patches/fixes/replacements for the faulty code.
The System Administrators are at fault FOR NOT MAINTAINING THEIR SYSTEMS PROPERLY.
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
Re:Windows is not the only vulnerable OS (Score:5, Interesting)
Wrong. People rail because Microsoft rarely gets it right the first time, and are damned slow and arrogant about fixing security holes. Oh, sorry. They did speed up their response time on security issues after realizing that the public was noticing and they were losing a little market share in IIS.
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
Most companies don't get it right the first time. If they did there would never be patches would there!
People do like to slam MS about holes that have known fixes for them along with newly discovered holes
I agree that MS have tighten up about security because of market share but this doesn't change the fact that some people will look at a situation like this in the linux world and point fingers at the admin for not having things up to date but in the MS world they'll blame MS first not the admin that hav
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
There is a well founded fear many Windows admins have about MS patches. They tend to break things. Patch Win2k, and MS-SQL does not work upon reboot. Or that third party medical charting software suddenly does not work.
Windows is very complex (many would say "too complex"), and certainly suffers from the "integration" of its parts. Therefore, unintentional side effects of patches are envitable. With Unix(ish) systems, the descrete parts can be patched, well, descretely. You can patch Sendmail, or MySQL, or OpenSSL all by itself (although sometimes you must recompile applications that depend on shared libraries, such as OpenSSL).
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
has shown that corporations can be held liable for their irresponsibility for exploiting the ignorant.
I wish.
Our whole damn culture is a corporate strategy to create fools who will part with their money.
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
It's no different.
I also hear other people calling those first people idiots. No software is perfect. Security is a process. Patching is forever.
Re:Windows is not the only vulnerable OS (Score:5, Interesting)
The p;roblem, among others, is that we don't have enough real punishment going on for hacking activities.
The internet has become the equivalent to living in a slum. Sure, the property is cheap, but if you don't have bars on your windows, you can count on a break in. And lots of people will tell you it's your own fault for not putting bars on your windows and living in a walled compound with broken glass on the tops of the walls.
I agree that the systems should be patched, but the real problem is that there are communities of thugs who feel at liberty... NO, who ARE at liberty (due to the lack of a cohesive international enforcement) to do what ever they want to you machine.
I vote for real international difficult (I know that's not going to be trivial) and hard jail time when people are caught. And, just like Kevin Mitnick, they should not be allowed to work with computers when they get out.
Re:Windows is not the only vulnerable OS (Score:3, Interesting)
First and foremost "hacking" activities as you so aptly put it, are not the reason this is a problem, its the LACK of hacking activities at companies like MS that started this problem, they dont check their own software well enough. period.
A hacker doesnt break the law (well any sane law, shit like the DMCA can fuck off) script kiddies and crackers are the one's who do shit like this.
If you leave your system wide open it
Re:Windows is not the only vulnerable OS (Score:3, Interesting)
According to a friend who used to work there, MS has teams of people whose job is to take their custom-built equipment anywhere they want on site and see if they can hack into systems.
I'm not really sure what more they could be doing, other than allowing everybody to view their source code.
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
Th
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
Now that said, you have an interesting slant on ethics. By that mindset, a burglar is perfectly entitled to break into your apartment because your door could be kicked in. A theif can swipe your radio because, hey, it was only glass between him and what he wanted.
Yes, there is a certain amount to be said for not painting a target on yourself. But regardless of how much you "had it coming" it's still a crime to break into your dwelling, steal your property, or damage your person or posessions. System intrusion is a crime, and a matter for law enforcement.
Re:Windows is not the only vulnerable OS (Score:4, Funny)
How's the reformation coming?
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
Extending your analogy to what he actually said, Masterlock isn't responsible when you don't actually LOCK the damned lock. Which, of course, they aren't nor should anyone blame them for losses suffered from the inability of the purchasers of their equipment to properly USE that equipment.
Re:Windows is not the only vulnerable OS (Score:5, Insightful)
Why not?
Well, what happens if that system just happens to be the payroll system, for example? What happens if the patch just manages to break the system so that the fortnightly payroll run doesn't happen? What happens when that money, which you expected to be in your bank account, doesn't appear? What happens when your mortgage provider goes to pull out your fortnightly mortgage repayment, and finds that there's no money in there to grab?
It isn't as simple as "Here's a patch, you're now secure as long as you apply it." We're talking real-world systems, with real-world conflicts and requirements. If you step outside the known and tested, you're liable to break things.
In other words: have a second system which you can throw patches onto and pound away on for a week or two, to make sure that those patches don't break anything important. Then throw the patches onto the live, production system. Doing it any other way could cause serious problems.
Sometimes, it's a case of having a choice: either you're secure, or your business is functioning. This is not a choice that I would want anybody to have to make, but you need to know that that choice is entirely possible, every time a new patch is released from your vendor, whether that vendor be Microsoft, Sun, IBM, HP, SGI, Apple, or Linus. Note that I'm not talking about deliberately (or through slacking off) avoiding application of patches; I'm talking about verifying that the patches still let you function as a business.
Or, in other words: IT exists to serve the business. The business does not operate to serve IT. Most of the time, there is no conflict between the two, but when there is, you need to make damn sure that the right one wins.
Wait, isn't the same true for Microsoft (Score:3, Insightful)
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
I work with a large organization with hundreds of servers and no patch gets install until the patch is tested to make sure it does not break the business app. That means setting up a lab with as close to production setup as possible, install the patch and try to run some realistic tests to confirm that things work. If everything checks out then you can update that server. Repeat process for each application. Don't forget the m
Re:Windows is not the only vulnerable OS (Score:3, Informative)
Re:Windows is not the only vulnerable OS (Score:2)
goalie sys admin
bad analogy. The goalie was the last line of defense with not many tools at his disposal to block the ball.
The fixes for the exploits discussed have been out for a while, any system administrator, with only normal tools and knowledge, would have done something about patching systems.
The excuse, "patching is easy in theory, hard in practice", is a LAME excuse.
Re:Windows is not the only vulnerable OS (Score:2)
Don't kid yourself. This didn't happen. Linux isn't popular enough for this kind of attack. Heck. Ignore all that infosec history too. Didn't happen. Not popular.
Re:Windows is not the only vulnerable OS (Score:3, Insightful)
It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system.
Is there really flag waving and cheering going on? Perhaps joking and laugher. Also Linux vs. Microsoft(leaving Unix out for now) is not comparable to
Bonjour, Monsieur Straw (Score:3, Insightful)
It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system.
No one is. Work is always being done to find and fix vulnerabilities in *nix variants.
No OS can be fully secured
No one with a brain ever claimed that was the case.
Assuming that Unix/Linux is invulnerable to security holes is deadly.
See last comment.
Though the OS may have more security fe
Re:Windows is not the only vulnerable OS (Score:3)
Re:Windows is not the only vulnerable OS (Score:2)
Dance, Monkeyboy... dance.
Or did you actually have some technical comment to make?
Re:Windows is not the only vulnerable OS (Score:3, Funny)
Re:Insightful my ass. (Score:2)
Unix is not the only OS that can handle remote logins.
In other words (Score:5, Insightful)
In other words, Stanford doesn't keep its Linux boxes up to date. These exploits have been fixed. Linux too requires maintenance and patching, not just Windows.
Re:In other words (Score:5, Insightful)
Re:In other words (Score:2)
Re:In other words (Score:5, Informative)
There's no excuse, when putting up a several hundred node cluster to not get an extra machine through which it needs to be accessed that is not part of the cluster. That machine can trivially be kept secure & the cluster can then be updated as is convenient (IE - not replacing the kernel in the middle of a 3-week long computation; even at that, tho, anything that's going to take 3wk should be able to checkpoint itself without loosing much).
Re:In other words (Score:4, Insightful)
Academic computing is the epitome of *available* computing, in the sense that availability is the highest priority. Financial institutions may prioritise (or at least, should prioritise) security and a good administration over availability, but by its nature, academic computing involves disparate infrastructures, various levels of admins with various goals, and so forth. All students, faculty, and staff need access; frequently, granting loose, unsecure access is simply more efficient for the time being than making things secure. Such is life.
Re:In other words (Score:2)
Re:In other words (Score:4, Insightful)
The attacks start with the compromise of an unprivileged local user account. Usually this is because the attacker's captured the password from somewhere else: it's been sniffed off the network (through the use of insecure protocols like telnet), it's been collected when the user signs on to or from another compromised machine, it's been harvested from the password file on a compromised system.
So, we have user passwords as the source, which users freely give away by (1) using telnet instead of SSH, (2) just being very uninformed or gullible users, enough to plug in his/her unix password to a web form, and (3) once-removed version of (1) or (2) since these are just obtained from other compromised machines.
(1) and (2) are arguably the same problem, so that boils down to: users breaking rules -- surprise! But, that's easy to say, but hard to fix without more power . What to do? Seriously? Fine users for breaking rules?
Re:In other words (Score:3, Insightful)
I once approaced one of the computer dorks at the lab about making PuTTY available to everyone on the lab computers, explaining packet sniffing (what's worse is that most of the individual labs were hubbed), and he turned me into the administration
Re:Token-based security (Score:3, Funny)
Wrong! Use tokens *and passwords* !
Using just tokens opens your users to a wide range of physical attacks... especially if they're college students with roomates who can "borrow" things for a few minutes of infringement.
I wonder if Debian supports any of those systems yet?
Yes. RSA SecureIDs can be used with almost any computer system. (They are a combined physical-token + password solution, and have better hardware compatiblity than a usb-key, as the user reads an LCD
If unpatched WinXX counts so does unpatched Linux (Score:3, Interesting)
Re:In other words (Score:3, Insightful)
The machines should of course be patched up to date, but I think the real failing here is the sysadmins not enforcing secure protocols - it doesn't take much to disable the telnet and ftp servers and make people use ssh and scp, etc instead. As soon as users are allowed to send authentication details in the clear instead of e
If you read to the VERY end of the article... (Score:5, Informative)
We know this.
No more default last 4 digits of SSN as a password.
Make them use something more secure! And disable telnet, for goodness sakes.
Inconvieience (sp?) your students in order to secure your system. It's all fun and games until someone uses a rootkit to play with GPAs.
Re:If you read to the VERY end of the article... (Score:2)
Any institution that maintains it's confidential grading records on the same network as academic computing (or even attached to the academic network in any way) deserves every lawsuit that such an action should engender.
Re:If you read to the VERY end of the article... (Score:2)
Then it's a sport. :)
The problem with passwords (Score:3, Insightful)
You pretty much have to assume that black-hats are going to be able to runs escalation exploits and work accordingly. That or severely limit how users are allowed to interact with the machine (if they only need to access email or upload files, WTF should they be able to run anything else?).
But yeah, good passwords limit the opportunities.
Xix.
Re:The problem with passwords (Score:3, Informative)
Every place that I worked at which enforced these kinds of rules, ended up with Post-It notes with passwords scattered all over the work area. Plus, the users didn't like to ask the admins for help because the "stupid IT-guys are assholes who cause more pain than they solve".
I haven't met too many users that mind getting some help picking a good initial passwor
IMO all of these attacks are related (Score:4, Interesting)
Just a feeling.
Washingtonpost.com has the complete story (Score:5, Informative)
Hmm, doesn't seem very unusual. (Score:5, Informative)
Don't send passwords in plain text on the network, and enforce proper password policies (8 char minimum, numbers, letters and symbols etc).
Re:Hmm, doesn't seem very unusual. (Score:4, Informative)
enforce proper password policies (8 char minimum, numbers, letters and symbols etc).
I've always been against this, or at least the more anal implementations of it, in that forcing people to choose hard-to-remember passwords typically leads to writing the passwords down--often in obvious places--which makes the problem worse instead of better. Good encryption (e.g. ssh instead of telnet) and good security measures (e.g. shadow passwords) are much more effective than draconian policies that don't achieve their ends anyway.
(And as for numbers and symbols making passwords less crackable--admit it, how many of you use 1337speak to make up the number/symbol quota?)
Re:Hmm, doesn't seem very unusual. (Score:4, Funny)
Doh, how did you know my password was 1337speak? I better change now that you've posted it on Slashdot!
Re:Hmm, doesn't seem very unusual. (Score:2)
Sounds to me like admin's aren't being responsible with server accounts, shame on them. We
Re:Hmm, doesn't seem very unusual. (Score:3, Interesting)
An excellent point, however, that that standard 1337 letter-number substitutions do basically nothing to improve your password security, as any half-decent password cracker will try those substitutions early in a dictionary attack.
I recommend the use of symbols where appropriate (throwing a !, ^ or & into your password won't hurt) and taking the time to try to pick a good p
Re:Hmm, doesn't seem very unusual. (Score:3, Interesting)
Re:Hmm, doesn't seem very unusual.-Memonic. (Score:2)
A good password isn't that hard. You don't need lots of symbols or numbers to make it hard. In fact making a good password is a lot like the devices used to recall information from memory.
Agreed, and I use my own mnemonic devices to make easy-to-remember, hard-to-guess passwords. (The only time I had a password cracked was back when I was a naive telnet-using kid at university . . . argh, that's too many years ago.) But I'm willing to bet that many, many people out there either don't have that insight
Re:Hmm, doesn't seem very unusual. (Score:2, Insightful)
They could be using hardware keyloggers, in which case NO machine is invulnerable.
Note to self (Score:5, Funny)
Re:Note to self (Score:5, Funny)
These attacks didn't need root passwords (Score:2)
Sloppy work all around (Score:5, Insightful)
If the sysadmins had actually patched their servers with the appropriate security patches the "hackers" would have never gotten in, in the first place. If you read the counter measure section this isn't anything new that they shouldn't be doing every day and enforcing.
If you look at the section entitled Evidence of compromise you can see that the people breaking into the systems are leaving a pretty big trail to follow. In my job, when customers start complaining that their servers are working quite right, when you take a look at whats going on you can see a root kits been installed. The whole idea of a root kit is to cover your tracks. If these guys did a better job you'd never know you were hacked. Its quite sad really. Laziness is the biggest security problem if you ask me.
Re:Sloppy work all around (Score:2, Interesting)
Re:Sloppy work all around (Score:2)
Okay, everybody raise your hand if you've known the salaries of all your higherups at every job you've ever worked.
Yep, me too. Even when payroll was handled offsite, I had the XVP call me into his office for help with a spreadsheet formula. The spreadsheet was all of upper management's salaries and profit sharing.
I didn't vomit, but I did take one look at the spread
Been hitting Caltech too (Score:4, Informative)
Yeah, so? (Score:5, Interesting)
HPC Clusters? (Score:4, Funny)
Re:HPC Clusters? (Score:2)
My opinion (Score:3, Interesting)
they wanna know WHAT? (Score:4, Insightful)
Never mind the compromised machines. Let's try social engineering instead. I know! We'll make a security alert, get it on Slashdot, and the poor trusting souls will beat a path to our POP3 account!
Seriously, you might as well just hand them your hard drive and credit card number.
HPC question (Score:2, Insightful)
Libsafe protects against buffer overflow exploits (Score:5, Interesting)
If more sysadmins installed this, perhaps we wouldn't have problems with so many Linux compromises? Of course it's no substitute for patching, but seems like a good additional security measure.
This is from the gnu.org software directory [gnu.org]
The exploitation of buffer overflow and format string vulnerabilities in process stacks are a significant portion of security attacks. 'libsafe' is based on a middleware software layer that intercepts all function calls made to library functions known to be vulnerable. A substitute version of the corresponding function implements the original function in a way that ensures that any buffer overflows are contained within the current stack frame, which prevents attackers from overwriting the return address and hijacking the control flow of a running program.
The true benefit of using libsafe is protection against future attacks on programs not yet known to be vulnerable. The performance overhead of libsafe is negligible, it does not require changes to the OS, it works with existing binary programs, and it does not need access to the source code of defective programs, or recompilation or off-line processing of binaries.
Re:Libsafe protects against buffer overflow exploi (Score:2, Informative)
I also combine it with grsecurity, which adds even more protection.
You should always remember though, these are just added layers of security. If someone can sniff your root password you're still cactus.
Re:Libsafe protects against buffer overflow exploi (Score:5, Interesting)
I still use libsafe. It is the greatest thing since sliced bread. Ok, that and distcc. Distcc and rsync... and ssh... DOH!
Re:Libsafe protects against buffer overflow exploi (Score:3, Interesting)
Re:Libsafe protects against buffer overflow exploi (Score:2)
Imagine... (Score:5, Funny)
From the Stanford article:
And further down...
To paraphrase a cliche without any attempt at humor:
Imagine a Beowulf cluster running John the Ripper.
Re:Imagine... (Score:2)
Never did that. But did, on occasion, have a Cray running crack.
Nobody appreciated the quips about a crack-using Cray though.
Now, wait a moment ... (Score:5, Interesting)
Now, my opinion of MS is not that great, but this just seems wrong.
Regards,
John
Re:Now, wait a moment ... (Score:2, Funny)
Not really, if one of the companies is a cockroach.
Re:Now, wait a moment ... (Score:4, Informative)
Re:Now, wait a moment ... (Score:4, Interesting)
This article is about incompetent admins and actual security breaches using exploits that have had fixes for ages. Thus, security. The windows item was on patches for actual bugs and didn't mention any specific exploit instances: thus, bugs.
It all makes sense now, doesn't it?
No (Score:3, Insightful)
It's the one-eyed, severely slanted nature of the Slashdot readership that:
* Microsoft is evil, stupid, moronic, evil, nasty, unsafe, did I mention evil?
* Linux is the shining non-denominational grail.
For god sake, there are security vulnerabilities in both people... and they aren't taken advantage of within the *nix world, because... hey, guess what? The majority of users are computer savvy, and k
Re:No (Score:3, Interesting)
Well... yeah, they are, what's really the problem with admitting that? We know something about the company and their track-record, why should that not be allowed to colour our current opinion of them?
Oh, I misunderstood... (Score:2)
Oh well.
academic machines? (Score:4, Interesting)
I can see why they would want to target academic boxen if they wanted high-powered computers to do some serious slaved number crunching. If they are just going to launch a DDoS attack or send a bunch of spam though, academic computers are not the best. Most academic sysadmins have fairly limited budgets, and spend a fair amount on bandwidth. As such, they rule their bandwidth with an iron fist in many cases. The Admins at my particular college have bandwidth flags on certain ports and a global flag of somewhere around 1gb/day over 3 days. Break that, and the admin gets very interested in what you are doing with your boxen.
I'm sure other colleges have similar schemes, and I've heard of many colleges which are even more strict with their bandwith (200mb/day limit, etc). These academic boxes may make good targets because of their relatively user intervention and user experience, but they don't have that great of a pipe on them, relatively speaking. If it was me, I would have gone after servers that also run wireless access points. Hard to tell where the bandwidth goes in some cases with those.
this just in... (Score:4, Funny)
and in other news...
cheerio's get soggy in milk
Comment removed (Score:5, Funny)
I've said it before and i'll say it again.... (Score:2)
Strategic issues (Score:4, Interesting)
I see a day coming when, in one day, half the computers in the US have their disks erased.
The Washington Post has more coverage (Score:4, Informative)
Washington Post has more coverage in this article, Hackers Strike Advanced Computing Networks [washingtonpost.com].
A few things to try..... (Score:5, Informative)
1. Patch your system! As soon as a patch comes out, get it applied and reboot if you have to! Also, stay up to date on security issues by subscribing to mailing lists that are related to the software your using. One good general purpose site is cert.org [cert.org]. Keep in mind that while mailing lists are great ways of being notified, they arent fool proof. If your subscription expires and you dont know about it, you wont be exactly up to date in the community now will you?
2. Use grsecurity [grsecurity.net]. This is a kernel patch that is briefly lagged behind official Linux kernel versions. It has many great features for protecting against stack attacks/buffer overflows. ie: Those latest greatest scripts your local script kiddie just downloaded wont likely do anything against you since special addresses are randomised. It can also hide files on your computer such as intergrity checkers so nobody except you know they exist. Plus it can stop insert code into a running kernel by making kernel memory readonly (which btw, would have prevented at least one of the attacks they mentioned).
3. Install a filesystem intergrity checker. Aide, integrit and tripwire all come to mind and essentially all do the same thing but with different config file syntax. Besides, how can you tell if a file is changed if you dont actually check? Also, dont forget to hide the existence of this program using something like grsec's gradm filesystem ACL util and be careful of automating checks in the crontab!
4. Read a good linux securing article. One such article I have read is called Securing & Optimizing Linux: The Ultimate Solution [tldp.org]. It will teach you how to lock a system down a fair bit and how to remove unused/unneeded services from your computer.
5. Watch those logs! Log files provide a wealth of information, but administrators rarely check them (well, not all). If you dont know what a log entry means, research it, or else you may be looking at an attack and not even realise it. Now I know some of you are thinking I am nuts considering just how many logs even a small system generates, but there are tools to help you. One way is to use a program called swatch (a perl script). It can parse existing and old archived log files using a perl regex syntax and trigger actions based on found text. Start by configuring the system to ignore any log entries that are known to be friendly and show you everything. Then slowly eliminate each friendly entry one at a time. What will be left is a list of purely evil enteries
Now I know I could go on forever with suggestions, but I think that these few things should give anyone a kick in the right direction. I hope this has been helpful.
not always .edu's fault (Score:3, Interesting)
Re:Attacks against universities? (Score:3, Interesting)
Nothing is written to a hard drive with this OS.
If so, how would this apply to the story on these attacks? How would anyone "gain control" of my computer under these circumstances.
BTW, Damn Small has a limit of 50 Mb, mine runs a little over 60 MB, and I put Mozilla Firefox and Wvdial in the remaster, as well as some office applications from the Debian list of over 8000 items
Re:Lazy Admin ? (Score:2, Interesting)
Of course, most Windows users are clueless, so the Linux/Unix admins are pretty much guilty in this situation.
To confess (anonymously), where I work we are pretty slack about security as well.. we use ssh and pam, wasn't there a known security risk with these 2 a few months ago?
Re:Attempts easy to guess passwords (Score:5, Interesting)
Re:Does anyone on the inside... (Score:5, Interesting)